[nsd-users] nsd-3.2.2 and initgroups ?
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Aug 10 08:37:45 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have adapted the NSD code to be more portable and it will be in the
next release.
Best regards,
Matthijs
Jarno Huuskonen wrote:
> Hi,
>
> On Thu, Aug 06, Noa Resare wrote:
>> I don't have access to any nonlinux boxes, but it seems like unbound
>> has fixed this very problem in a way that is at least somewhat more
>> portable:
>>
>> More info at: http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=250
>
> Something like that would probably be sufficient ?
>
> -Jarno
>
>> /noa
>>
>> 6 aug 2009 kl. 15.24 skrev Matthijs Mekking:
>>
> Hi Jarno,
>
> First of all, sorry for not replying the original message.
>
> The problem with initgroups is that it is only available if
> _BSD_SOURCE_
> is defined. So, it is not very portable. I am not sure if there is a
> easy portable fix that would also do the job...
>
> Best regards,
>
> Matthijs Mekking
> NLnet Labs
>
> Jarno Huuskonen wrote:
>>>>> I originally sent this to nsd-bugs at nlnetlabs.nl on 22.6.2009, but
>>>>> never
>>>>> received a reply.
>>>>>
>>>>> -----------------------------------
>>>>>
>>>>> I was testing nsd-3.2.2 and noticed that when dropping root
>>>>> privileges nsd doesn't call initgroups (or setgroups).
>>>>>
>>>>> On typical Linux distro (I'm testing with CentOS 5.3) this
>>>>> means that nsd retains extra groups
>>>>> (with CentOS groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
>>>>> 10(wheel)).
>>>>>
>>>>> Here's a small patch that I made:
>>>>> diff -urN nsd-3.2.2.orig/server.c nsd-3.2.2/server.c
>>>>> --- nsd-3.2.2.orig/server.c 2009-04-03 14:56:43.000000000 +0300
>>>>> +++ nsd-3.2.2/server.c 2009-06-22 13:11:03.000000000 +0300
>>>>> @@ -21,6 +21,7 @@
>>>>> #include <ctype.h>
>>>>> #include <errno.h>
>>>>> #include <fcntl.h>
>>>>> +#include <grp.h>
>>>>> #include <stddef.h>
>>>>> #include <stdio.h>
>>>>> #include <stdlib.h>
>>>>> @@ -533,7 +534,7 @@
>>>>> }
>>>>>
>>>>> /* Drop the permissions */
>>>>> - if (setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
>>>>> + if (initgroups(nsd->username, nsd->gid) != 0 || setgid(nsd-
>>>>>> gid) != 0 || setuid(nsd->uid) !=0) {
>>>>> log_msg(LOG_ERR, "unable to drop user privileges: %s",
>>>>> strerror(errno));
>>>>> pid_unlink(nsd->pidfile);
>>>>>
>>>>>
>>>>> Note: I haven't tested the patch (other than checking that
>>>>> nsd starts and drops the extra groups).
>>>>>
>>>>> -Jarno
>>>>>
_______________________________________________
nsd-users mailing list
nsd-users at NLnetLabs.nl
http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJKf9xWAAoJEA8yVCPsQCW50uEH/RpEt9Sbx4ooy1qjz3zXrZtw
FhBrnQFUWBhbVEm+XKfWz+GgD28slyKaIOF6sctvvVJDZMKvSpN1U2jLcNardIGB
PNh7li5IX85xovIBQwcli3G7XGSYSNJx4horYMjml0BxQ2hvIvfAXV4H56VVvtjn
wDFxmcgC+JQZ0MCySDKkty+coWr7VWY8NXxfuWbW512YrPhMGi8Gm9r0jmg/ZrwL
gfAAXKy8CUXT1FwoRonvRd+LO0nN4CeWV8aFbJCL0l9473EmqCwmauSC2s1Wk+84
PunfJP331dfL52kUZYwtZYOzoJHveR/IXI48ZL/MmUvjYBn4bRJCWBMTe8HKaiQ=
=sgtj
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list